Jump to content


prohand

Bitlocker management client internet

Recommended Posts

Hello,

I installed MBAM on my SCCM server without problem.
Everything works properly locally.

I deployed a server in DMZ to be able to manage my clients on the internet.

When I deploy Bitlocker via the local everything works, I have the Bitlocker window that opens to activate it.

When I deploy bitlocker on a computer located on the internet, I have no window that opens and I have this in the logs:

Unable to find suitable Recovery Service MP

I use SCCM 1910

Thanks

Edited by prohand

Share this post


Link to post
Share on other sites

Unable to find suitable Recovery Service MP  usually means that it cannot communicate with the https enabled management point, are you using pki on your clients and sccm server(s) ?

Share this post


Link to post
Share on other sites

ok i missed the 'internet' part, i haven't tested this for IBCM clients yet, have you configured your certs to work with internet based clients ?

Share this post


Link to post
Share on other sites

ok can you please zip up the bitlocker logs in c:\windows\ccm\logs and send them to me or attach them here, i'll ask microsoft to comment

Share this post


Link to post
Share on other sites

I just found this on my server in DMZ:

Maybe it's related

Can I send you the logs in MP?

]LOG]!><time="12:01:22.108-60" date="01-21-2020" component="CertificateMaintenance" context="" type="1" thread="4816" file="Event.cpp:908">
<![LOG[Looking for cert with SHA1 hash 4xxxx in cert store My.]LOG]!><time="12:01:22.265-60" date="01-21-2020" component="CertificateMaintenance" context="" type="1" thread="4816" file="ccmgencert.cpp:1524">
<![LOG[CSP associated with MP Certificate does not support SHA256 signing. Using SHA1 signing]LOG]!><time="12:01:22.280-60" date="01-21-2020" component="CertificateMaintenance" context="" type="2" thread="4816" file="ccmgencert.cpp:5921">
<![LOG[Raising pending event:

instance of CCM_ServiceHost_CertRetrieval_Status
{
	ClientID = "GUID:65xx3-xxxx";
	DateTime = "20200121120122.119000+000";
	HRESULT = "0x00000000";
	ProcessID = 2584;
	ThreadID = 7792;
};
]LOG]!><time="13:01:22.119-60" date="01-21-2020" component="CertificateMaintenance" context="" type="1" thread="7792" file="Event.cpp:908">
<![LOG[Looking for cert with SHA1 hash 4xxxxx in cert store My.]LOG]!><time="13:01:22.275-60" date="01-21-2020" component="CertificateMaintenance" context="" type="1" thread="7792" file="ccmgencert.cpp:1524">
<![LOG[CSP associated with MP Certificate does not support SHA256 signing. Using SHA1 signing]LOG]!><time="13:01:22.307-60" date="01-21-2020" component="CertificateMaintenance" context="" type="2" thread="7792" file="ccmgencert.cpp:5921">
<![LOG[No client certificate was negotiated. Async: 0]LOG]!><time="12:56:06.031-60" date="01-21-2020" component="DeviceCertAuthModule" context="" type="3" thread="6252" file="devicecertauthmodule.cpp:931">
<![LOG[Failing HTTP request with status code 403.7 with HR 0x0 and reason "Client certificate required"]LOG]!><time="12:56:06.031-60" date="01-21-2020" component="DeviceCertAuthModule" context="" type="3" thread="6252" file="devicecertauthmodule.cpp:119">

 

Share this post


Link to post
Share on other sites

that does look related, does it correlate to when the client was communicating with the mp ? if you want to zip logs and email them to me then fine, send them to niall AT windows DASH noob DOT com

Share this post


Link to post
Share on other sites

Hello,

I still have the error cited above in DmpDeviceCertAuthModule.log but this does not correspond to the moment when I evaluate the conformity of bitlocker.

The mpcontrol.log of DMZ server indicates the SSL is enabled.

Have you been able to see my log file?

Thank you

Share this post


Link to post
Share on other sites

i didn't get any log file, try again niall@windows-noob.com

Share this post


Link to post
Share on other sites

Any updates to this post?  I'm getting the same error on my internet based clients on 1910.  All traffic is fine to MP over HTTPS and PKI certificate in place.

Note, I do not have this error on domain based intranet clients so I do know my BL policy is working fine there.  😀

 Thanks!

p.s.  I can submit log files as well too.

Share this post


Link to post
Share on other sites

are your VPN's somehow blocking communication ? are you using VPN's ?

Share this post


Link to post
Share on other sites

if i had a vote left Marc i'd vote for it, did you tweet it yet ?

  • Thanks 1

Share this post


Link to post
Share on other sites

That is cuz you are one crazy awesome dude Niall!!!  Still have my fingers crossed that we get to have that drink this summer!!  Waiting to find out if we are still going to have our CTG Summit in August! 🤙

  • Like 1

Share this post


Link to post
Share on other sites

One cool thing you CAN do right now @lambertrich is get the policies out to devices over IBCM and once they VPN into your enviro, they will escrow their keys and encrypt.  We tested and validated this as a workaround until a solid solution is provided by MS.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...